On Tue, 28 Aug 2001 16:38:14 +1000, "Jason Brooke" <[EMAIL PROTECTED]> wrote:

>> I use the PHP virtual() function to call a CGI script, and that works
>> fine.  But I need to prevent the CGI from being executed directly, in
>> case someone tries to access its URL.
>> Since HTTP_REFERER is unreliable, I was wondering how others have
>> solved this problem ...

>move it out of the document tree if you don't want it executed via http, and
>use system or exec or something instead of virtual

Thanks for the idea, but ...

That would cause the script to be executed with permissions of the web
server, and for security, that is generally prohibited by the ISP (we
are the ISP).  The only exception to that rule is public scripts which
reside in:

  safe_mode_exec_dir = /host/runphp

and are thus allowed to execute with permissions of the web server.

To provide for the execution of private user CGIs, each user has their
own /cgi directory.  Apache is configured to recognize /cgi in any URL
as an executable CGI, and wraps all user CGIs with SuEXEC, to run them
with permissions of the user, not the web server.

But of course that means user scripts are accessible via URL.  So the
question remains, how to limit their access.

As the ISP, we could use any feature of the web server for our own
CGIs, but we intentionally avoid that.  We have a hosting environment
with a rich set of customer accessible tools, and we demonstrate that
fact by using only those tools ourselves.  IOW, we use what we sell.

I have some techniques for limiting access to user CGIs, but I still
wonder how others have approached this problem ...


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to